When Removing Reductions Goes Wrong: Auditing Reduction Placement in Production ML-DSA Implementations

Implementing post-quantum signatures correctly in production cryptographic libraries remains challenging even after standardization. ML-DSA implementations rely on NTT-based polynomial arithmetic with lazy Montgomery reductions, and omitting a reduction may be either a valid optimization or a latent arithmetic defect. In practice, reduction calls are often removed for performance, memory, or embedded-deployment reasons, but the required correctness condition is inter-procedural: a site that appe